Last year we
reported about a new modular malware using a
network protocol similar to Dyreza – you can
read about it here.
The malware was not very stealthy and some
parts were looking to be under development,
but we noticed its potential and capability
to be easily extended. Indeed, authors of
TrickBot are persistent not only in
spreading their product but also in
developing new features.

Some of the
novel changes have been noted in the report
of Security Art Work (available
here).

But
authors of the malware didn’t stop on this –
recently we captured some additions – for
example, the one called Outlook.dll. While
most of the modules are written in C++, this
one is written in Delphi. It may indicate
that the team of developers gained some new
members that are more comfortable with this
particular language.

Behavioral analysis

As before,
after being deployed TrickBot installs
itself in a new directory created in %APPDATA%.
It runs a new instance from the installation
directory.

Inside, it
creates another directory – Modules,
where it drops downloaded modules and their
configuration files in encrypted form:

The way in
which the modules and configuration files
are encrypted didn’t change – still, we can
use the same
scripts
to recover them.

After
decrypting config.conf we got some
more details about the current campaign –
the version of the analyzed configuration is
1000030 and the given group
tag is tt0002. Fragment:

As before,
the persistence is achieved with the help of
Scheduled Task:

The task
deploys the main bot, that after being run,
decrypts and loads other modules. Each
module is injected into a new instance of
svchost:

Inside

As before,
all the TrickBot modules follow a predefined
API. They export four functions:

Control

FreeBuffer

Release

Start

As
mentioned in the section “behavioral
analysis”, in the current run we observed 5
modules. SystemInfo.dll and
loader.dll (injectDll32) are present in
the TrickBot since the
very beginning.
The module mailsearcher.dll has
been introduced in December 2016 (according
to the F5
DevCentral’s article).
But there are some modules in the set, that
we haven’t seen described before:
module.dll and Outlook.dll.

module.dll/importDll32

Overview

This bulky
module is written in C++, compiled with Qt5,
OpenSSL and also incorporates SQLite. Inside
the binary we can find the strings
indicating particular versions of the
libraries:

DLL’s
compilation timestamp indicates that it is
pretty fresh, written in May of this year:

2017:05:27 14:27:06+01:00

Functionality-wise, this module is focused
on stealing data from the browsers, such as:

Cookies

HTML5
Local Storage

Browsing History

Flash
LSO (Local Shared Objects)

URL
hits

…and more.

Authors
didn’t put any effort to hide their
intentions. Debug strings informing about
every action taken are being printed.
Examples:

Grabbing
URL hits:

In
contrary to loader.dll/injectDll
(referenced here)
which is modular and stores all the scripts
and targets in dedicated configuration
files, module.dll/importDll32
comes with all the data hardcoded. For
example, we can find inside the binary a
very long list of targets – websites from
countries all around the world – France,
Italy, Japan, Poland, Norway, Peru and more:

Browser
fingerprinting

During its
run the module creates a hidden desktop:

This
desktop is used as a workspace, where the
malicious module can open and fingerprint
browsers in a way that is not noticed by the
user.

Inside the
malware’s code we can find some hardcoded
HTML files with javascripts that are used
for gathering information about the
browser’s configuration. For example:

Conclusion

TrickBot’s
new modules are not written very well and
they are probably still under development.
The overall quality of the design is much
lower than the quality of the earlier code.
For example, module.dll is bulky
and does not follow the clean modular
structure introduced by TrickBot before.
Also, they make use of languages and
libraries that are easier – Qt instead of
native sockets for module.dll,
Delphi language for Outlook.dll.
Those changes may indicate some changes in
the development team – either they gained
new members that has been delegated to the
new tasks or some of the previous members
resigned and has been substituted by lower
quality programmers. It may also be
possible, that they are doing some
prototyping and experiments for the further
development.

Anyways,
as we can see, TrickBot is still actively
maintained and it is not going to leave the
landscape any soon.

This was a guest post
written by Hasherezade, an independent
researcher and programmer with a strong
interest in InfoSec. She loves going in
details about malware and sharing threat
information with the community. Check her out on
Twitter @hasherezade
and her personal blog:
https://hshrzd.wordpress.com.